Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Incident Response, TDR, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Mobile malware prevalence expands, but privacy-abusing apps should be top of mind

A new study has found that mobile malware soared by more than 600 percent over the past year, but one security researcher said users should be more concerned about a far more likelier threat on their smartphones and tablets.

Patrick Traynor, an assistant professor in the college of computing at Georgia Tech, told SCMagazine.com on Wednesday that the “biggest thing users should be aware of is legitimate applications that try to take your private information.”

Although research has tracked the growing savvy of malware authors, most recently the believed beginnings of mobile ransomware campaigns targeting Android users, and reports have marked a rapid spike in mobile malware discoveries – Juniper's third-annual “Mobile Threats Report” this week revealed a 614 percent increase in malicious apps over the past year – these threats are more of the exception than the rule, Taylor said.

To him, apps that fail to provide clear indications to users of how they plan to use the data they collect – or how much data they collect in the first place – are the more “realistic” threat to the consumer, as well as companies that have embraced bring-your-own-device (BYOD). In February, Traynor, along with a team of Georgia Tech researchers and Manos Antonakakis, chief scientist at security firm Damballa, authored a study (PDF) that found that only 3,492 devices in a network of 380 million were infected with mobile malware – accounting for less than 0.0009 percent of the overall sample.

Dan Guido, CEO of security start-up Trail of Bits, told SCMagazine.com in a Wednesday email that app developers for Android users should do more to provide privacy management options in their apps.

“Android users click through the privacy decisions they are asked to make to get access to the applications they want, then are given little to no tools to manage this access,” Guido said.

Juniper Networks' “Mobile Threats Report” also highlighted the issue of applications requiring unnecessary access to data stored on devices.

The study, conducted for one year beginning in March 2012, also warned that users should be less trusting of free apps, since they tend to collect more sensitive data than apps for which customers pay. Free apps are three times more likely to track mobile users' location, and 2 1/2 times more likely to access their address books than purchased apps.

As an example, security firm Symantec on Wednesday notified users on its blog that the legitimate and free Facebook app for Android has a bug that causes users' phone numbers to be leaked without their knowledge. More than seven million devices have installed the Facebook app, according to Google Play, the official app store for Android users. The issue involves phone numbers being sent over the internet to Facebook servers, even before users login to their accounts. Symantec said it reached out to Facebook, and  the social networking site would provide a fix for the bug in the next Facebook for Android release. 

Troy Vennon, director of Juniper Network's mobile threat center, told SCMagazine.com that the issue of data-exposing apps is worsened by the fact that less experienced developers sometimes use app toolkits as a reference point for their own apps. But these toolkits often request more information than is necessary from users.

In addition, the issue is exacerbated by users who simply fail to check the privacy policies or details of apps they agree to install, he said.

“They need to make sure they are looking at the permissions the app has,” Vennon said. “More times than not, [users] aren't really doing that."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.